Re: [webpayments] How do we protect certian data in the messages from certain parties in the flow as the use case requires? (#78)

What would the reason be for standardizing it? That the Web Payment spec guarantees some level of security? That it will be easier for payment apps to apply message authentication and confidentiality? 

I'm skeptical about this being standardized, and believe it should be left to the PSPs and the payment apps. Cryptography is a living research area, it is complex, and if you look at TLS it's easy to see how that leads to constant changes and backward compatibility issues for the browsers and other clients. Even if Web Payments spec did standardize message authentication and confidentiality, many PSPs would likely end up continue using their own schemes.

Finally, in many cases, it's not the payment app that applies the message authentication and confidentiality. It may be done by the PSP itself when the payment app authenticates the user and authorizes the transaction. The payment app will then forward the authorization message from PSP to the payee, which then forwards the message back to the PSP embedded in a transfer request. This is how [Braintreepayments](https://developers.braintreepayments.com/start/overview) is set up (follow the nonce).

---
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments/issues/78#issuecomment-178644091

Received on Tuesday, 2 February 2016 15:43:45 UTC